Policy-based virtualization method involving adaptive enforcement
First Claim
Patent Images
1. A non-transitory computer readable medium storing instructions, that when executed by a computer, cause the computer to:
- execute a first system software instance in a virtualized environment;
execute a policy enforcement point (PEP); and
receive from a policy decision point (PDP) a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance in the virtualize environment, wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP).
18 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in which a permission for running a system software instance alongside another system software instance is issued on the basis of a first policy rule concerning the operation of a first software application and a second policy rule concerning the execution of second software application.
-
Citations
20 Claims
-
1. A non-transitory computer readable medium storing instructions, that when executed by a computer, cause the computer to:
-
execute a first system software instance in a virtualized environment; execute a policy enforcement point (PEP); and receive from a policy decision point (PDP) a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance in the virtualize environment, wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP). - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
a first telecommunications network node comprising a first server software and a processor, wherein the first server software is associated with a first telecommunications network perimeter, wherein the processor of the first node is operable to execute a first system software instance and a policy enforcement point (PEP); a second telecommunications network node comprising a second server software and a processor, wherein the second server software is associated with a second telecommunications network perimeter, wherein the processor of the second telecommunications network node is operable to execute a policy decision point (PDP); wherein the policy decision point (PDP) is configured to decide when a second system software instance should be allowed to execute concurrently with the first system software instance on the first telecommunications network node in a virtualized environment, wherein the decision depends on a first network policy rule related to the first telecommunications network perimeter and a second network policy rule related to the security of the second telecommunications network perimeter; and wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP).
-
-
6. A method, comprising:
transmitting a message by a software module indicating a permission to execute on a node a first server concurrently with a second server in a virtualized environment, wherein; the first server is executing within a first system software instance, and the second server is within a second system software instance; the permission depends on a first telecommunications network policy rule and a second telecommunications network policy rule, wherein; the first telecommunications network policy rule relates to the operation of the first server, and the second telecommunications network policy rule relates to the operation of the second server. - View Dependent Claims (7, 8, 9, 10, 11)
-
12. A method, comprising:
-
transmitting from a first node, a message indicating a permission to execute on a second node a first software concurrently with a second server, wherein; the first software is executed within a first system software instance, and the second software is executed within a second system server instance; the permission is based on a first telecommunications network policy rule and a second telecommunications network policy rule, wherein; the first telecommunications network policy rule relates to the operation of the first server, and the second telecommunications network policy rule relates to the operation of the second server; transmitting from the first node to the second node a message identifying a telecommunications network policy rule to be implemented by firewall software executed on the second node; and in response to receipt of the message, launching at the second node, an instance of firewall software implementing the rule.
-
-
13. A method comprising:
-
receiving a first telecommunications network policy rule, wherein the first rule relates to the operation of a first server in a telecommunications network; receiving a second telecommunications network policy rule, wherein the second rule relates to the operation of second server in the telecommunications network; transmitting a message containing a permission to migrate the second server to a virtualized environment of a first telecommunications network node, wherein; a first telecommunications network node is host to the first server, the first server is executing within a first system software instance, the migration of the second server to the first telecommunications network node comprises the instantiation of a second system software instance at the first telecommunications network node and executing the second server within the second system software instance; and the permission depends on the first telecommunications network policy rule and second telecommunications network policy rule.
-
-
14. A method, comprising:
-
receiving a first telecommunications network policy rule, wherein the first telecommunications network policy rule relates to the operation of a first server in a telecommunications network; receiving a second telecommunications network policy rule, wherein the second telecommunications network policy rule relates to the operation of second server in the telecommunications network; transmitting a message containing a permission to migrate the second server a virtualized environment of a first telecommunications network node, wherein; the first telecommunications network node is host to the first server, the first server is executing within a first system software instance, the migration of the second server to the first telecommunications network node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and the permission depends on the first telecommunications network policy rule and second telecommunications network policy rule; and transmitting a message indicating a suggestion for a hardware upgrade of the first node, wherein the suggestion depends on the expected utilization of computer hardware resources by the first virtual server.
-
-
15. A method, comprising:
-
receiving a first telecommunications network policy rule, wherein the first telecommunications network policy rule relates to the operation of a first server in a telecommunications network; receiving a second telecommunications network policy rule, wherein the second telecommunications network policy rule relates to the operation of second server in the telecommunications network; transmitting a message containing a permission to migrate the second server a virtualized environment of a first telecommunications network node, wherein; the first node is host to the first server, the first server is executing within a first system software instance, the migration of the second server to the first node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and the permission depends on the first policy rule and second policy rule; transmitting an indication of a third telecommunications network policy rule, wherein; the third telecommunications network policy rule is to be implemented by a firewall software, wherein the firewall software is executing on the first node, and the third telecommunications network policy rule depends on the first rule and second rule. - View Dependent Claims (16, 17)
-
-
18. A method comprising:
-
receiving a request to migrate a second virtual server to a virtualized environment of a telecommunications network node, wherein the first telecommunications network node is executing a first virtual server; and transmitting a message containing a permission to migrate the second virtual server to the telecommunications network node, wherein; the first virtual server is executing within a first system software instance, and the migration of the second virtual server to the telecommunications network node comprises the instantiation of a second system software instance at the telecommunications network node and executing the second virtual server within the second system software instance; and the permission depends on a first telecommunications network policy rule and a second telecommunications network policy rule.
-
-
19. A system comprising:
-
a first telecommunications network node executing a virtualized environment, wherein the first node is operable to execute a first virtual server and a first software module, wherein the first virtual server is executing within a first system software instance; a second software module, wherein the second software module decides whether a second virtual server should be allowed to execute within a second system software instance concurrently with the first virtual server on the first node; and wherein the first software module selectively prevents the operation of the second virtual server on the basis of a decision provided by the second software module. - View Dependent Claims (20)
-
Specification